The present invention relates to an automation network for monitoring the security of transfer of data packets, and to a method for monitoring the security of the transfer of data packets.
The following discussion of related art is provided to assist the reader in understanding the advantages of the invention, and is not to be construed as an admission that this related art is prior art to this invention.
From the point of view of data processing, industrial automation networks consist of a data network and of data processing devices, which are connected to one another in order to perform a data communication through the data network. For instance, in order to enable an operation of an industrial plant which is automated by the automation network from a remote station, automation networks can be linked by a gateway to a public network, e.g. Internet, for instance. Various advantages in the realization of modern automation networks result in the increased use of IT technologies such as Ethernet and the Internet Protocol (IP). This nevertheless results in an increase in the security risks, for instance due to unauthorized attacks from the outside into the respective automation network.
The term “automation networks” is to be understood hereinafter as automation systems, control installations, production installations, manufacturing installations or suchlike. The automation devices of the automation installation can be embodied to perform a computing task. For this purpose the automation devices may include a computing facility, for instance a processor (CPU). Furthermore, the automation devices may include input/output facilities, which can detect process parameters and can output corresponding actuating signals.
The paper “Ganzheitliches anlagenweites Security Management—Werkzeuge für die automatisierte Unterstützung” [Global installation-wide security management—tools for automated assistance] by Anna Palmin, Stefan Runde and Pierre Kobes, published in March 2012, pages 34-40, describes measures for improving the security in industrial automation networks. One of the important measures within the scope of a global security management system is the acquisition and evaluation of messages which various components of the automation network generate during events and which possibly permit an attack to be identified. A superordinate unit collects and evaluates the messages in order to identify from the notified single events or a composition of a number of events whether an attack is actually taking place and, if necessary, reports this to a location so that suitable measures can be introduced as a response to the identified attack. This functionality is referred to as Security Event Management (SEM). A further functionality relates to the generation of reports, in order to prove the adherence to guidelines. This is referred to as Security Information Management (SIM). If one unit joins the two cited functionalities, it is referred to as Security Information and Event Management (SIEM). A computing unit with a software tool which serves in an automation network to realize a SIEM is preselected in the afore-cited paper as a security station. The security station is arranged structurally in a process control system (PCS). An operator station and the security station can run jointly on one personal computer (PC) or on two separate PCs. The security station can likewise be realized on a maintenance station which is already available. It serves to integrate the security management into the process control system and to allow it to run in parallel to the installation automation. The existing views such as e.g. operation view and maintenance view are thus extended by an additionally integrated security view onto the installation. Moreover, the message and archiving system present in the automation network can be used to process the messages generated for security-relevant events. Alternatively to an integrated software tool, the security station can be realized as a tool which is independent of specific products and has clearly defined interfaces. It is thus flexible in the context of PCS and SCADA systems (Supervisory Control and Data Acquisition). The software tool of the security station serves to monitor the security in the automation network, namely on the basis of acquiring and evaluating messages, which a control unit, frequently referred to as operator station, a programmable logic controller, a so-called controller, network components, e.g. routers, switches or gateways, or field devices, e.g. actuators or measuring transducers for pressure, temperature or flow rate generate. These devices are generalized here as data processing device or in brief as event sources and generate corresponding messages on account of their corresponding preconfiguration with security-relevant events. Examples of security-relevant events are a detected failed logon attempt on a PC, which is recorded in the Windows Event Log, or a detected unauthorized access to an IP address, which is rejected by a Firewall and is if necessary written into a log file. A normalization of the reported events is performed in so-called connectors of the SIEM system. The normalization is generally realized as the mapping of individual components or parameters on the data structure of the SIEM.
A SIEM system is generally configured in the engineering phase, i.e. in the project planning and the commissioning of an automation technology installation. The configuration comprises inter alia the linking of data processing nodes, which come into consideration as sources for messages of security-relevant events, to a SIEM system using the corresponding connectors. Attempts are made to ensure that the SIEM system does not communicate with any sources of event messages which are unknown to it, since this could negatively affect the reliability of the security monitoring. It must likewise be ensured that with security-relevant events, corresponding messages must actually be generated by the relevant data processing device. The primary objective of a SIEM system used in an automation installation consists in promptly identifying and evaluating reports of attempted attacks or deviations from the normal state. The SIEM system should enable attempted attacks and abnormalities to be responded to promptly and adequately, as well as the long-term storage of security-relevant information and the generation of reports.
It would therefore be desirable and advantageous to specify an automation network and a method which improves the quality and/or reliability of the identification of indications of attempted attacks or deviations from the normal state in an automation network.